Support scalar tweak to rotate holder funding key during splicing

A scalar tweak applied to the base funding key to obtain the channel's
funding key used in the 2-of-2 multisig. This is used to derive
additional keys from the same secret backing the base `funding_pubkey`,
as we have to rotate keys for each successful splice attempt.

The tweak is computed similar to existing tweaks used in
[BOLT-3](https://github.com/lightning/bolts/blob/master/03-transactions.md#key-derivation),
but rather than using the `per_commitment_point`, as we cannot guarantee
that it will change across multiple splice attempts, we use the txid of
the funding transaction the splice transaction is spending, henceforth
known as the splice's parent funding txid.

  tweak = base_funding_key + SHA256(splice_parent_funding_txid || base_funding_pubkey)

Author: wpaulino

lightning/src/chain/channelmonitor.rs

@@ -3463,8 +3463,10 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		let countersignatory_keys =
 			&self.onchain_tx_handler.channel_transaction_parameters.holder_pubkeys;
 
-		let broadcaster_funding_key = broadcaster_keys.funding_pubkey;
-		let countersignatory_funding_key = countersignatory_keys.funding_pubkey;
+		let broadcaster_funding_key =
+			broadcaster_keys.funding_pubkey(&self.onchain_tx_handler.secp_ctx);
+		let countersignatory_funding_key =
+			countersignatory_keys.funding_pubkey(&self.onchain_tx_handler.secp_ctx);
 		let keys = TxCreationKeys::from_channel_static_keys(&their_per_commitment_point,
 			&broadcaster_keys, &countersignatory_keys, &self.onchain_tx_handler.secp_ctx);
 		let channel_parameters =
@@ -5405,13 +5407,13 @@ mod tests {
 			[0; 32],
 		);
 
-		let counterparty_pubkeys = ChannelPublicKeys {
-			funding_pubkey: PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[44; 32]).unwrap()),
-			revocation_basepoint: RevocationBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[45; 32]).unwrap())),
-			payment_point: PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[46; 32]).unwrap()),
-			delayed_payment_basepoint: DelayedPaymentBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[47; 32]).unwrap())),
-			htlc_basepoint: HtlcBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[48; 32]).unwrap()))
-		};
+		let counterparty_pubkeys = ChannelPublicKeys::new(
+			PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[44; 32]).unwrap()), None,
+			RevocationBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[45; 32]).unwrap())),
+			PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[46; 32]).unwrap()),
+			DelayedPaymentBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[47; 32]).unwrap())),
+			HtlcBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[48; 32]).unwrap()))
+		);
 		let funding_outpoint = OutPoint { txid: Txid::all_zeros(), index: u16::MAX };
 		let channel_id = ChannelId::v1_from_funding_outpoint(funding_outpoint);
 		let channel_parameters = ChannelTransactionParameters {
@@ -5657,13 +5659,13 @@ mod tests {
 			[0; 32],
 		);
 
-		let counterparty_pubkeys = ChannelPublicKeys {
-			funding_pubkey: PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[44; 32]).unwrap()),
-			revocation_basepoint: RevocationBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[45; 32]).unwrap())),
-			payment_point: PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[46; 32]).unwrap()),
-			delayed_payment_basepoint: DelayedPaymentBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[47; 32]).unwrap())),
-			htlc_basepoint: HtlcBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[48; 32]).unwrap())),
-		};
+		let counterparty_pubkeys = ChannelPublicKeys::new(
+			PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[44; 32]).unwrap()), None,
+			RevocationBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[45; 32]).unwrap())),
+			PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[46; 32]).unwrap()),
+			DelayedPaymentBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[47; 32]).unwrap())),
+			HtlcBasepoint::from(PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[48; 32]).unwrap())),
+		);
 		let funding_outpoint = OutPoint { txid: Txid::all_zeros(), index: u16::MAX };
 		let channel_id = ChannelId::v1_from_funding_outpoint(funding_outpoint);
 		let channel_parameters = ChannelTransactionParameters {

lightning/src/chain/onchaintx.rs

@@ -668,7 +668,7 @@ impl<ChannelSigner: EcdsaChannelSigner> OnchainTxHandler<ChannelSigner> {
 					}
 
 					// We'll locate an anchor output we can spend within the commitment transaction.
-					let funding_pubkey = &self.channel_transaction_parameters.holder_pubkeys.funding_pubkey;
+					let funding_pubkey = &self.channel_transaction_parameters.holder_pubkeys.funding_pubkey(&self.secp_ctx);
 					match chan_utils::get_anchor_output(&tx.0, funding_pubkey) {
 						// An anchor output was found, so we should yield a funding event externally.
 						Some((idx, _)) => {
@@ -1320,28 +1320,20 @@ mod tests {
 			[0; 32],
 			[0; 32],
 		);
-		let counterparty_pubkeys = ChannelPublicKeys {
-			funding_pubkey: PublicKey::from_secret_key(
-				&secp_ctx,
-				&SecretKey::from_slice(&[44; 32]).unwrap(),
+		let counterparty_pubkeys = ChannelPublicKeys::new(
+			PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[44; 32]).unwrap()),
+			None,
+			RevocationBasepoint::from(
+				PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[45; 32]).unwrap()),
 			),
-			revocation_basepoint: RevocationBasepoint::from(PublicKey::from_secret_key(
-				&secp_ctx,
-				&SecretKey::from_slice(&[45; 32]).unwrap(),
-			)),
-			payment_point: PublicKey::from_secret_key(
-				&secp_ctx,
-				&SecretKey::from_slice(&[46; 32]).unwrap(),
+			PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[46; 32]).unwrap()),
+			DelayedPaymentBasepoint::from(
+				PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[47; 32]).unwrap()),
 			),
-			delayed_payment_basepoint: DelayedPaymentBasepoint::from(PublicKey::from_secret_key(
-				&secp_ctx,
-				&SecretKey::from_slice(&[47; 32]).unwrap(),
-			)),
-			htlc_basepoint: HtlcBasepoint::from(PublicKey::from_secret_key(
-				&secp_ctx,
-				&SecretKey::from_slice(&[48; 32]).unwrap(),
-			)),
-		};
+			HtlcBasepoint::from(
+				PublicKey::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[48; 32]).unwrap()),
+			),
+		);
 		let funding_outpoint = OutPoint { txid: Txid::all_zeros(), index: u16::MAX };
 
 		// Use non-anchor channels so that HTLC-Timeouts are broadcast immediately instead of sent

lightning/src/events/bump_transaction.rs

@@ -38,7 +38,7 @@ use bitcoin::constants::WITNESS_SCALE_FACTOR;
 use bitcoin::locktime::absolute::LockTime;
 use bitcoin::consensus::Encodable;
 use bitcoin::secp256k1;
-use bitcoin::secp256k1::{PublicKey, Secp256k1};
+use bitcoin::secp256k1::{PublicKey, Secp256k1, Verification};
 use bitcoin::secp256k1::ecdsa::Signature;
 use bitcoin::transaction::Version;
 
@@ -61,9 +61,9 @@ pub struct AnchorDescriptor {
 impl AnchorDescriptor {
 	/// Returns the UTXO to be spent by the anchor input, which can be obtained via
 	/// [`Self::unsigned_tx_input`].
-	pub fn previous_utxo(&self) -> TxOut {
+	pub fn previous_utxo<C: Verification>(&self, secp: &Secp256k1<C>) -> TxOut {
 		TxOut {
-			script_pubkey: self.witness_script().to_p2wsh(),
+			script_pubkey: self.witness_script(secp).to_p2wsh(),
 			value: Amount::from_sat(ANCHOR_OUTPUT_VALUE_SATOSHI),
 		}
 	}
@@ -80,16 +80,16 @@ impl AnchorDescriptor {
 	}
 
 	/// Returns the witness script of the anchor output in the commitment transaction.
-	pub fn witness_script(&self) -> ScriptBuf {
+	pub fn witness_script<C: Verification>(&self, secp: &Secp256k1<C>) -> ScriptBuf {
 		let channel_params = self.channel_derivation_parameters.transaction_parameters.as_holder_broadcastable();
-		chan_utils::get_anchor_redeemscript(&channel_params.broadcaster_pubkeys().funding_pubkey)
+		chan_utils::get_anchor_redeemscript(&channel_params.broadcaster_pubkeys().funding_pubkey(secp))
 	}
 
 	/// Returns the fully signed witness required to spend the anchor output in the commitment
 	/// transaction.
-	pub fn tx_input_witness(&self, signature: &Signature) -> Witness {
+	pub fn tx_input_witness<C: Verification>(&self, secp: &Secp256k1<C>, signature: &Signature) -> Witness {
 		let channel_params = self.channel_derivation_parameters.transaction_parameters.as_holder_broadcastable();
-		chan_utils::build_anchor_input_witness(&channel_params.broadcaster_pubkeys().funding_pubkey, signature)
+		chan_utils::build_anchor_input_witness(&channel_params.broadcaster_pubkeys().funding_pubkey(secp), signature)
 	}
 }
 
@@ -601,7 +601,7 @@ where
 		// Our commitment transaction already has fees allocated to it, so we should take them into
 		// account. We do so by pretending the commitment transaction's fee and weight are part of
 		// the anchor input.
-		let mut anchor_utxo = anchor_descriptor.previous_utxo();
+		let mut anchor_utxo = anchor_descriptor.previous_utxo(&self.secp);
 		let commitment_tx_fee_sat = Amount::from_sat(commitment_tx_fee_sat);
 		anchor_utxo.value += commitment_tx_fee_sat;
 		let starting_package_and_fixed_input_satisfaction_weight =
@@ -641,7 +641,7 @@ where
 			// construct psbt
 			let mut anchor_psbt = Psbt::from_unsigned_tx(anchor_tx).unwrap();
 			// add witness_utxo to anchor input
-			anchor_psbt.inputs[0].witness_utxo = Some(anchor_descriptor.previous_utxo());
+			anchor_psbt.inputs[0].witness_utxo = Some(anchor_descriptor.previous_utxo(&self.secp));
 			// add witness_utxo to remaining inputs
 			for (idx, utxo) in coin_selection.confirmed_utxos.into_iter().enumerate() {
 				// add 1 to skip the anchor input
@@ -679,7 +679,7 @@ where
 			let signer = self.signer_provider.derive_channel_signer(anchor_descriptor.channel_derivation_parameters.keys_id);
 			let channel_parameters = &anchor_descriptor.channel_derivation_parameters.transaction_parameters;
 			let anchor_sig = signer.sign_holder_anchor_input(channel_parameters, &anchor_tx, 0, &self.secp)?;
-			anchor_tx.input[0].witness = anchor_descriptor.tx_input_witness(&anchor_sig);
+			anchor_tx.input[0].witness = anchor_descriptor.tx_input_witness(&self.secp, &anchor_sig);
 
 			#[cfg(debug_assertions)] {
 				let signed_tx_weight = anchor_tx.weight().to_wu();

lightning/src/ln/chan_utils.rs

@@ -35,7 +35,7 @@ use crate::util::transaction_utils;
 
 use bitcoin::locktime::absolute::LockTime;
 use bitcoin::ecdsa::Signature as BitcoinSignature;
-use bitcoin::secp256k1::{SecretKey, PublicKey, Scalar};
+use bitcoin::secp256k1::{SecretKey, PublicKey, Scalar, Verification};
 use bitcoin::secp256k1::{Secp256k1, ecdsa::Signature, Message};
 use bitcoin::{secp256k1, Sequence, Witness};
 
@@ -430,6 +430,24 @@ pub fn derive_private_revocation_key<T: secp256k1::Signing>(secp_ctx: &Secp256k1
 		.expect("Addition only fails if the tweak is the inverse of the key. This is not possible when the tweak commits to the key.")
 }
 
+/// Computes the tweak to apply to the base funding key of a channel.
+///
+/// The tweak is computed similar to existing tweaks used in
+/// [BOLT-3](https://github.com/lightning/bolts/blob/master/03-transactions.md#key-derivation), but
+/// rather than using the `per_commitment_point`, as we cannot guarantee that it will change across
+/// multiple splice attempts, we use the txid of the funding transaction the splice transaction is
+/// spending, henceforth known as the splice's parent funding txid.
+///
+///   tweak = base_funding_key + SHA256(splice_parent_funding_txid || base_funding_pubkey)
+//
+// TODO: Expose a helper on `FundingScope` that calls this.
+pub fn compute_funding_key_tweak(base_funding_pubkey: &PublicKey, splice_parent_funding_txid: &Txid) -> Scalar {
+	let mut sha = Sha256::engine();
+	sha.input(splice_parent_funding_txid.as_byte_array());
+	sha.input(&base_funding_pubkey.serialize());
+	Scalar::from_be_bytes(Sha256::from_engine(sha).to_byte_array()).unwrap()
+}
+
 /// The set of public keys which are used in the creation of one commitment transaction.
 /// These are derived from the channel base keys and per-commitment data.
 ///
@@ -470,7 +488,14 @@ impl_writeable_tlv_based!(TxCreationKeys, {
 pub struct ChannelPublicKeys {
 	/// The public key which is used to sign all commitment transactions, as it appears in the
 	/// on-chain channel lock-in 2-of-2 multisig output.
-	pub funding_pubkey: PublicKey,
+	funding_pubkey: PublicKey,
+	/// A scalar tweak applied to the base funding key to obtain the channel's funding key used in
+	/// the 2-of-2 multisig. This is used to derive additional keys from the same secret backing the
+	/// base `funding_pubkey`, as we have to rotate keys for each successful splice attempt.
+	///
+	/// The tweak is computed as described in [`compute_funding_key_tweak`], and it must only be set
+	/// for holder public keys, never for counterparty ones.
+	funding_key_tweak: Option<Scalar>,
 	/// The base point which is used (with [`RevocationKey::from_basepoint`]) to derive per-commitment
 	/// revocation keys. This is combined with the per-commitment-secret generated by the
 	/// counterparty to create a secret which the counterparty can reveal to revoke previous
@@ -489,12 +514,43 @@ pub struct ChannelPublicKeys {
 	pub htlc_basepoint: HtlcBasepoint,
 }
 
+impl ChannelPublicKeys {
+	/// Constructs a new instance of [`ChannelPublicKeys`].
+	pub fn new(
+		funding_pubkey: PublicKey, funding_key_tweak: Option<Scalar>,
+		revocation_basepoint: RevocationBasepoint, payment_point: PublicKey,
+		delayed_payment_basepoint: DelayedPaymentBasepoint, htlc_basepoint: HtlcBasepoint,
+	) -> Self {
+		Self {
+			funding_pubkey, funding_key_tweak, revocation_basepoint, payment_point,
+			delayed_payment_basepoint, htlc_basepoint,
+		}
+	}
+
+	/// Returns the funding public key with the required tweak applied if one exists.
+	pub fn funding_pubkey<C: secp256k1::Verification>(&self, secp: &Secp256k1<C>) -> PublicKey {
+		self.funding_key_tweak
+			.map(|tweak| {
+				self.funding_pubkey.add_exp_tweak(secp, &tweak).expect(
+					"Addition only fails if the tweak is the inverse of the key"
+				)
+			})
+			.unwrap_or(self.funding_pubkey)
+	}
+
+	/// Returns the tweak, if one exists, to apply to the funding key.
+	pub fn funding_key_tweak(&self) -> Option<Scalar> {
+		self.funding_key_tweak
+	}
+}
+
 impl_writeable_tlv_based!(ChannelPublicKeys, {
 	(0, funding_pubkey, required),
 	(2, revocation_basepoint, required),
 	(4, payment_point, required),
 	(6, delayed_payment_basepoint, required),
 	(8, htlc_basepoint, required),
+	(10, funding_key_tweak, option),
 });
 
 impl TxCreationKeys {
@@ -931,10 +987,10 @@ impl ChannelTransactionParameters {
 		}
 	}
 
-	pub(crate) fn make_funding_redeemscript(&self) -> ScriptBuf {
+	pub(crate) fn make_funding_redeemscript<C: Verification>(&self, secp: &Secp256k1<C>) -> ScriptBuf {
 		make_funding_redeemscript(
-			&self.holder_pubkeys.funding_pubkey,
-			&self.counterparty_parameters.as_ref().unwrap().pubkeys.funding_pubkey
+			&self.holder_pubkeys.funding_pubkey(secp),
+			&self.counterparty_parameters.as_ref().unwrap().pubkeys.funding_pubkey(&secp)
 		)
 	}
 
@@ -945,13 +1001,13 @@ impl ChannelTransactionParameters {
 
 	#[cfg(test)]
 	pub fn test_dummy(channel_value_satoshis: u64) -> Self {
-		let dummy_keys = ChannelPublicKeys {
-			funding_pubkey: PublicKey::from_slice(&[2; 33]).unwrap(),
-			revocation_basepoint: PublicKey::from_slice(&[2; 33]).unwrap().into(),
-			payment_point: PublicKey::from_slice(&[2; 33]).unwrap(),
-			delayed_payment_basepoint: PublicKey::from_slice(&[2; 33]).unwrap().into(),
-			htlc_basepoint: PublicKey::from_slice(&[2; 33]).unwrap().into(),
-		};
+		let dummy_keys = ChannelPublicKeys::new(
+			PublicKey::from_slice(&[2; 33]).unwrap(), None,
+			PublicKey::from_slice(&[2; 33]).unwrap().into(),
+			PublicKey::from_slice(&[2; 33]).unwrap(),
+			PublicKey::from_slice(&[2; 33]).unwrap().into(),
+			PublicKey::from_slice(&[2; 33]).unwrap().into(),
+		);
 		Self {
 			holder_pubkeys: dummy_keys.clone(),
 			holder_selected_contest_delay: 42,
@@ -1136,13 +1192,10 @@ impl HolderCommitmentTransaction {
 			countersignatory_htlc_key: HtlcKey::from_basepoint(&secp_ctx, &HtlcBasepoint::from(dummy_key), &dummy_key),
 			broadcaster_delayed_payment_key: DelayedPaymentKey::from_basepoint(&secp_ctx, &DelayedPaymentBasepoint::from(dummy_key), &dummy_key),
 		};
-		let channel_pubkeys = ChannelPublicKeys {
-			funding_pubkey: dummy_key.clone(),
-			revocation_basepoint: RevocationBasepoint::from(dummy_key),
-			payment_point: dummy_key.clone(),
-			delayed_payment_basepoint: DelayedPaymentBasepoint::from(dummy_key.clone()),
-			htlc_basepoint: HtlcBasepoint::from(dummy_key.clone())
-		};
+		let channel_pubkeys = ChannelPublicKeys::new(
+			dummy_key.clone(), None, RevocationBasepoint::from(dummy_key), dummy_key.clone(),
+			DelayedPaymentBasepoint::from(dummy_key.clone()), HtlcBasepoint::from(dummy_key.clone())
+		);
 		let channel_parameters = ChannelTransactionParameters {
 			holder_pubkeys: channel_pubkeys.clone(),
 			holder_selected_contest_delay: 0,